HHS cracks down: provider to pay $100,000 in HIPAA penalties over lost laptops

The Department of Health and Human Services has levied a $100,000 fine on Seattle-based Providence Health and Services for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The violation, involving unprotected backup tapes, optical disks and laptops three years ago, compromised the protected health information of more than 386,000 patients, HHS officials said.

In addition to the fine - one of the heftiest levied by HHS thus far for a HIPAA violation – Providence will be required to follow a detailed corrective action plan for adequately safeguarding identifiable electronic patient information. HHS officials the resolution agreement is the first of its kind.

Winston Wilkinson, the director of the HHS' Office of Civil Rights (OCR), said other providers should take notice. The enforcement agency "is committed to effective enforcement of health information privacy and security protections for consumers," he said.

The OCR and the Centers for Medicare & Medicaid Services report they have successfully resolved more than 6,700 HIPAA Privacy and Security Rule cases, each requiring the entities to make systemic changes to health information privacy and security practices. Providence's cooperation with the OCR and CMS allowed HHS officials to resolve the case without the need to impose a civil penalty (the $100,000 fine was called a "resolution amount" by HHS officials).

Wilkinson said the agency commends Providence for its cooperation during the investigation and for "their voluntary implementation of comprehensive and system-wide improvements to protect individually identifiable health information."

The case involved exchanges of information between two entities in the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks and laptops containing unencrypted electronic protected health information were removed from the Providence premises and left unattended, HHS officials said.

HHS officials received more than 30 complaints about the stolen tapes and disks after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS.

The OCR and CMS focused their investigations on Providence's failure to implement policies and procedures to safeguard the information.

Under the resolution agreement, Providence must revise its policies and procedures for encryption, off-site transport and storage of electronic media containing patient information. Subject to HHS approval, Providence must train workforce members on the safeguards, conduct audits and site visits of facilities and submit compliance reports to HHS for three years.

Eric Cowperthwaite, Providence's chief information security officer. said patient information protection is a top priority. "Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures," he said. "Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training."

Kerry Weems, acting administrator of the CMS, said the resolution confirms that effective compliance means more than just having written policies and procedures.

"To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features," Weems said.